Garantía y Seguridad en Sistemas y Redes. Tema 5 ......Attack kits and Attack sources Attack Kits Creation of malware requires great technical skills. Today, tools exist to create

Tema 5. Malicious So0ware

Garantía y Seguridad en Sistemas y Redes

Esteban Stafford

Departamento de Ingeniería Informá2ca y Electrónica

Este tema se publica bajo Licencia:

Crea2ve Commons BY-‐NC-‐SA 4.0

http://creativecommons.org/licenses/by-nc-sa/4.0/

Grupo deIngeniería deComputadores

5. Malicious SoftwareG678: Garantía y Seguridad en Sistemas y RedesEsteban StaffordSantander, October 20, 2015

Contents

Types of Malicious Software (Malware)

Propagation–Infected Content–Viruses

Propagation–Vulnerability Exploit–Worms

Propagation–Social Engineering–Spam E-mail, Trojans

Payload–System Corruption

Payload–Attack Agent–Zombie, Bots

Payload–Information Theft–Keyloggers, Phishing, Spyware

Payload–Stealthing–Backdoors, Rootkits


1

Anatomy of Malware

Means of TransportRemovable media

Network

Email

Infiltration ToolUser

Vulnerability

Code injection

AttitudeSpread

Hide

Mutate

PayloadDestroy stuff

Send Spam

Attack elsewhere

Spy


2

Broad malware classificationName DescriptionVirus When executed, tries to replicate itself into other executable code, infecting it. When the

infected code is executed, the virus also executes.Worm A computer program that can run independently and can propagate a complete working ver-

sion of itself onto other hosts on a network.Logic bomb A program inserted into software by an intruder. A logic bomb lies dormant until a predefined

condition is met; the program then triggers an unauthorized act.Trojanhorse

A computer program that appears to have a useful function, but also has a hidden and poten-tially malicious function that evades security mechanisms, sometimes by exploiting legitimateauthorizations of a system entity that invokes the Trojan horse program.

Backdoor Any mechanism that bypasses a normal security check; it may allow unauthorized access tofunctionality.

Mobilecode

Software (e.g., script, macro...) that can be shipped unchanged to a heterogeneous collectionof platforms and execute with identical semantics.

Exploits Code specific to a single vulnerability or set of vulnerabilities.Downloaders Program that installs other items on a machine that is under attack. Usually, a downloader is

sent in an e-mail.Auto-rooter Malicious tools used to break into new machines remotely.Attack Kits Set of tools for generating new malware automatically.Spammer Used to send large volumes of unwanted e-mail.Flooders Used to attack networked computer systems with a large volume of traffic to carry out a denial-

of-service (DoS) attack.Keyloggers Captures keystrokes on a compromised system.Rootkit Set of tools used after attacker has broken into a computer system and gained root-level

access.Zombie,bot

Program activated on an infected machine that is activated to launch attacks on other ma-chines.

Spyware Software that collects information from a computer and transmits it to another system.Adware Advertising that is integrated into software. It can result in pop-up ads or redirection of a

browser to a commercial site.


3

Anatomy of Malware

Means of TransportRemovable media

Network

Email

Infiltration ToolUser

Vulnerability

Code injection

AttitudeSpread

Hide

Mutate

PayloadDestroy stuff

Send Spam

Attack elsewhere

Spy


2

Broad malware classificationName DescriptionVirus When executed, tries to replicate itself into other executable code, infecting it. When the

infected code is executed, the virus also executes.Worm A computer program that can run independently and can propagate a complete working ver-

sion of itself onto other hosts on a network.Logic bomb A program inserted into software by an intruder. A logic bomb lies dormant until a predefined

condition is met; the program then triggers an unauthorized act.Trojanhorse

A computer program that appears to have a useful function, but also has a hidden and poten-tially malicious function that evades security mechanisms, sometimes by exploiting legitimateauthorizations of a system entity that invokes the Trojan horse program.

Backdoor Any mechanism that bypasses a normal security check; it may allow unauthorized access tofunctionality.

Mobilecode

Software (e.g., script, macro...) that can be shipped unchanged to a heterogeneous collectionof platforms and execute with identical semantics.

Exploits Code specific to a single vulnerability or set of vulnerabilities.Downloaders Program that installs other items on a machine that is under attack. Usually, a downloader is

sent in an e-mail.Auto-rooter Malicious tools used to break into new machines remotely.Attack Kits Set of tools for generating new malware automatically.Spammer Used to send large volumes of unwanted e-mail.Flooders Used to attack networked computer systems with a large volume of traffic to carry out a denial-

of-service (DoS) attack.Keyloggers Captures keystrokes on a compromised system.Rootkit Set of tools used after attacker has broken into a computer system and gained root-level

access.Zombie,bot

Program activated on an infected machine that is activated to launch attacks on other ma-chines.

Spyware Software that collects information from a computer and transmits it to another system.Adware Advertising that is integrated into software. It can result in pop-up ads or redirection of a

browser to a commercial site.


3

Attack kits and Attack sources

Attack KitsCreation of malware requires great technical skills.Today, tools exist to create and manage malware easily.These toolkits are known as crimeware.Malware created this way is easier to detect.But their large amount make them difficult to defendagainst.

Attack SourcesIn the past attackers sought demonstrating technical ability.Today, the main motivation is money, but can be alsopolitical or even military.


4

VirusesAt a glance...

Means of transport: Removable media, Email.Infiltration tool: User.Attitude: Spread.Payload: Destroy stuff, encrypt files and ask for ransom.

exe

virus

Infection

exe

exe

exe

mbr

Propagation

virus

exezip

Compression

virus

exe

Encryption Mutation


5

Attack kits and Attack sources

Attack KitsCreation of malware requires great technical skills.Today, tools exist to create and manage malware easily.These toolkits are known as crimeware.Malware created this way is easier to detect.But their large amount make them difficult to defendagainst.

Attack SourcesIn the past attackers sought demonstrating technical ability.Today, the main motivation is money, but can be alsopolitical or even military.


4

VirusesAt a glance...

Means of transport: Removable media, Email.Infiltration tool: User.Attitude: Spread.Payload: Destroy stuff, encrypt files and ask for ransom.

exe

virus

Infection

exe

exe

exe

mbr

Propagation

virus

exezip

Compression

virus

exe

Encryption Mutation


5

Worms

At a glance...Means of transport: Network.Infiltration tool: Vulnerability.Attitude: Spread.Payload: Spy, open backdoor, deploy bot...

Worms propagate through vulnerabilities. Viruses do notneed this. They propagate by “legitimate" methods. Theuser “helps" the virus. The worm “helps itself", thereforespreads much faster.Vulnerabilities can be reduced by patching and firewalls.Infections can be removed by antivirus software.


6

Worms

Zero-Day vulnerabilities are those that don’t have a patchavailable.Typically, worm exploit vulnerabilities of:

Remote file transfer, login or execution services.Email or Instant MessengerBrowser: Drive-by-download.Web-server: Code injection, Cross-Site-Scripting (XSS)

Finds new targets by:Random IP address.Pre-written Hit-list.Topological search.Local subnet.


7

Worms

At a glance...Means of transport: Network.Infiltration tool: Vulnerability.Attitude: Spread.Payload: Spy, open backdoor, deploy bot...

Worms propagate through vulnerabilities. Viruses do notneed this. They propagate by “legitimate" methods. Theuser “helps" the virus. The worm “helps itself", thereforespreads much faster.Vulnerabilities can be reduced by patching and firewalls.Infections can be removed by antivirus software.


6

Worms

Zero-Day vulnerabilities are those that don’t have a patchavailable.Typically, worm exploit vulnerabilities of:

Remote file transfer, login or execution services.Email or Instant MessengerBrowser: Drive-by-download.Web-server: Code injection, Cross-Site-Scripting (XSS)

Finds new targets by:Random IP address.Pre-written Hit-list.Topological search.Local subnet.


7

Spam

Not widely known as Unsolicited Bulk Email (UBE).Not strictly malware — No code.Accounts for 70-90% of all emails sent.In the past, Spam was sent by compromised legitimatemail servers.Large scale protection by blacklisting.Today, Spam is sent by botnets.User scale protection by antispam filtering: keywords,bayesian filters.


8

Trojan horses

At a glance...Means of transport: User download.Infiltration tool: User.Attitude: Hide.Payload: Spy.

Trojan horses pose as useful software, that the userinstalls.Trojan might:

Perform original and malicious functionality.Pervert the original purpose of the application.Perform only malicious activity.


9

Spam

Not widely known as Unsolicited Bulk Email (UBE).Not strictly malware — No code.Accounts for 70-90% of all emails sent.In the past, Spam was sent by compromised legitimatemail servers.Large scale protection by blacklisting.Today, Spam is sent by botnets.User scale protection by antispam filtering: keywords,bayesian filters.


8

Trojan horses

At a glance...Means of transport: User download.Infiltration tool: User.Attitude: Hide.Payload: Spy.

Trojan horses pose as useful software, that the userinstalls.Trojan might:

Perform original and malicious functionality.Pervert the original purpose of the application.Perform only malicious activity.


9

Destructive malwareData destruction

Delete files. Zero filesystem structures.Encrypt files and demand payment to obtain key.

Real-World DamageAlter BIOS settings to render the computer unbootable.Continuously write media and produce bad sectors.Rewrite industrial equipment firmware inducing failure.

Logic bombMalware produces damage when some conditions are met.Date. Number of infections. User starts application.Incomplete malware removal. Successful spying.


10

Remote controlBots, Zombies

Compromised machine obeys commands from master.A group of [ro]bots is called a botnet.

DDoS attackRelay SpamSniff trafficUse computing powerKeylog/Video captureSeed new malwareInstall unwanted SoftwareManipulate of Polls/GamesAnonymizing Proxy

Communication to master: IRC, HTTP, Peer-to-peer.Bot functionality is usually preinstalled, but they can alsobe updated.


11

Destructive malwareData destruction

Delete files. Zero filesystem structures.Encrypt files and demand payment to obtain key.

Real-World DamageAlter BIOS settings to render the computer unbootable.Continuously write media and produce bad sectors.Rewrite industrial equipment firmware inducing failure.

Logic bombMalware produces damage when some conditions are met.Date. Number of infections. User starts application.Incomplete malware removal. Successful spying.


10

Remote controlBots, Zombies

Compromised machine obeys commands from master.A group of [ro]bots is called a botnet.

DDoS attackRelay SpamSniff trafficUse computing powerKeylog/Video captureSeed new malwareInstall unwanted SoftwareManipulate of Polls/GamesAnonymizing Proxy

Communication to master: IRC, HTTP, Peer-to-peer.Bot functionality is usually preinstalled, but they can alsobe updated.


11

Personal information theft

Credential theft, keylogging and spywareSince authentication encryption, traffic sniffers are lesseffective.Keyloggers monitor keyboard events and keep login data.Mouse-driven authentication caused the development ofspyware.

Wider monitoring capabilities.Redirection of certain web-pages.Alter browser-server communication.


12


Identity theft, Phishing and Spear-phishingPhishing uses Spam to lure users to fake web-servers.Unaware users might give important credentials or data tofake-server.Spear-phishing is a carefully crafted phishing attackdirected to selected victims.

Reconnaissance and EspionageSame techniques as above but not focused on personalcredentials.


13


Credential theft, keylogging and spywareSince authentication encryption, traffic sniffers are lesseffective.Keyloggers monitor keyboard events and keep login data.Mouse-driven authentication caused the development ofspyware.

Wider monitoring capabilities.Redirection of certain web-pages.Alter browser-server communication.


12


Identity theft, Phishing and Spear-phishingPhishing uses Spam to lure users to fake web-servers.Unaware users might give important credentials or data tofake-server.Spear-phishing is a carefully crafted phishing attackdirected to selected victims.

Reconnaissance and EspionageSame techniques as above but not focused on personalcredentials.


13

Stealth Access

BackdoorAlso known as Maintenance hook allows developer todebug software.Unscrupulous programmer might leave/forget it in theproduction version.

RootkitSet of tools to grant covert privileged access to a system.They modify the system to hide their presence.Persistent, memory based, user mode, kernel mode,external mode, virtual machine based.


14

Documents

Garantía y Seguridad en Sistemas y Redes. Tema 5 ......Attack kits and Attack sources Attack Kits Creation of malware requires great technical skills. Today, tools exist to create